The long-running Dawson-Damer v Taylor Wessing case has resolved the issue of the extent to which a data controller must check through paper files when an individual makes a data subject access request. Whilst the case concerns the position under the previous data protection legislation, the Data Protection Act 1998 (DPA98), the Court of Appeal's findings can almost certainly also be applied in relation to the GDPR definition of a 'filing system'. In essence, the Court of Appeal has determined that the test is a functional one of whether specific criteria enable the data to be easily retrieved. A file that is completely unstructured beyond its chronological compilation is therefore unlikely to qualify.
The case concerns a Bahamian settlement and, in particular, subject access requests served by a beneficiary of the trust and her two adult children on Taylor Wessing, the trustee's solicitors. There were two issues in the case, one concerning legal professional privilege (which this note doesn't cover, but on which the Claimants were successful) and one relating to data protection.
The data protection issue was whether Taylor Wessing needed to search 35 paper files for personal data relating to the Claimants. The files were held under the description "Yuills Trusts" (the client being the trustee of those trusts), and the papers were filed in chronological order. Taylor Wessing said they were held without reference to any particular individuals or any piece of advice which would directly concern the Claimants as opposed to any other beneficiaries of the trust.
Under DPA98, an individual was entitled to access to their data which was "recorded as part of a relevant filing system". A 2003 case (Durant v Financial Services Authority) had adopted a narrow interpretation of a "relevant filing system", which in essence meant that only "sufficiently sophisticated" manual files effectively approximating to a computerised filing system would be caught. In 2011, the UK's Information Commissioner issued guidance containing what became known as "the temp test": "if you employed a temporary administrative assistant (a 'temp'), would they be able to extract specific information about an individual from your manual records without any particular knowledge of your type of work or the documents you hold?". Such a temp would be assumed to be reasonably competent but without any particular knowledge of the type of documents or work.
The Court of Appeal in Dawson-Damer has now confirmed that the narrow Durant test has been superseded by the decision of the Court of Justice of the European Union in Tietsuojavatuutettu.
As a result, the following questions must be asked when considering manual files:
- Are the files a "structured set of personal data"?
- Are the data accessible according to specific criteria?
- Are those criteria "related to individuals"?
- Do the specific criteria enable the data to be easily (or readily) retrieved?
The fourth question requires that the ready access is enabled by the structure of the files. In this case, whilst trainee and qualified lawyers had accessed the personal data through a page-turning exercise in the files, this was a clear indication that, in fact, the structure of the files did not enable ready access to the data.
The ICO's 'temp test', approved by the Court of Appeal in Dawson-Damer as a rule of thumb, has some superficial attraction but, of course, the world of document management has moved on since 2011. Arguably, the idea of an administrative assistant having the burden of leafing through a voluminous paper file is perhaps outdated, given that technology might in some cases be used to scan such files in and for keyword searching. It could even see controllers effectively evading their obligations to make personal data available to data subjects by relying on poor file management.
Under GDPR, a 'filing system' means "any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis". Given the reference to 'structured set' in the definition, it appears likely that the Court of Appeal's test in Dawson-Damer will continue to be applied.
The ICO has recently closed its consultation on its updated draft Right of Access guidance. However, no detailed guidance is given as to the meaning of a 'filing system' under GDPR (albeit it is noted that under the Data Protection Act 2018 personal data held in unstructured manual records processed by public authorities is covered by the right of access).